From: Ward Vandewege Date: Thu, 10 Feb 2022 18:47:18 +0000 (-0500) Subject: 18676: remove script/get_anonymous_user_token.rb and update X-Git-Tag: 2.4.0~89^2~3 X-Git-Url: https://git.arvados.org/arvados.git/commitdiff_plain/ad2851bce9be401f8feac6570b3958ce93732cfd?hp=abd8c34dc8a21ff75fda2e60d6f2be9ef5722cb3 18676: remove script/get_anonymous_user_token.rb and update documentation. Arvados-DCO-1.1-Signed-off-by: Ward Vandewege --- diff --git a/doc/admin/upgrading.html.textile.liquid b/doc/admin/upgrading.html.textile.liquid index 2bd41829be..9ad081292e 100644 --- a/doc/admin/upgrading.html.textile.liquid +++ b/doc/admin/upgrading.html.textile.liquid @@ -35,10 +35,14 @@ TODO: extract this information based on git commit messages and generate changel
-h2(#main). development main (as of 2021-11-10) +h2(#main). development main (as of 2022-02-10) "previous: Upgrading from 2.3.0":#v2_3_0 +h3. Anonymous token changes + +The anonymous token configured in @Users.AnonymousUserToken@ must now be 50 characters or longer. This was already the suggestion in the documentation, now it is enforced. The @script/get_anonymous_user_token.rb@ script that was needed to register the anonymous user token in the database has been removed. Registration of the anonymous token is no longer necessary. + h3. Preemptible instance types are used automatically, if any are configured The default behavior for selecting "preemptible instances":{{site.baseurl}}/admin/spot-instances.html has changed. If your configuration lists any instance types with @Preemptible: true@, all child (non-top-level) containers will automatically be scheduled on preemptible instances. To avoid using preemptible instances except when explicitly requested by clients, add @AlwaysUsePreemptibleInstances: false@ in the @Containers@ config section. (Previously, preemptible instance types were never used unless the configuration specified @UsePreemptibleInstances: true@. That flag has been removed.) diff --git a/doc/install/install-keep-web.html.textile.liquid b/doc/install/install-keep-web.html.textile.liquid index 98c3165485..4942c96078 100644 --- a/doc/install/install-keep-web.html.textile.liquid +++ b/doc/install/install-keep-web.html.textile.liquid @@ -11,7 +11,7 @@ SPDX-License-Identifier: CC-BY-SA-3.0 # "Introduction":#introduction # "Configure DNS":#introduction -# "Configure anonymous user token.yml":#update-config +# "Configure anonymous user token":#update-config # "Update nginx configuration":#update-nginx # "Install keep-web package":#install-packages # "Start the service":#start-service @@ -105,15 +105,13 @@ h2. Set InternalURLs h2(#update-config). Configure anonymous user token -{% assign railscmd = "bin/bundle exec ./script/get_anonymous_user_token.rb --get" %} -{% assign railsout = "zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz" %} If you intend to use Keep-web to serve public data to anonymous clients, configure it with an anonymous token. -# Generate a random string (>= 50 characters long) and put it in the @config.yml@ file, in the @AnonymousUserToken@ field. +Generate a random string (>= 50 characters long) and put it in the @config.yml@ file, in the @AnonymousUserToken@ field. 
    Users:
-      AnonymousUserToken: "{{railsout}}"
+      AnonymousUserToken: "zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz"
diff --git a/services/api/script/get_anonymous_user_token.rb b/services/api/script/get_anonymous_user_token.rb deleted file mode 100755 index 4c3ca34f07..0000000000 --- a/services/api/script/get_anonymous_user_token.rb +++ /dev/null @@ -1,85 +0,0 @@ -#!/usr/bin/env ruby -# Copyright (C) The Arvados Authors. All rights reserved. -# -# SPDX-License-Identifier: AGPL-3.0 - -# Get or Create an anonymous user token. -# If get option is used, an existing anonymous user token is returned. If none exist, one is created. -# If the get option is omitted, a new token is created and returned. - -require 'optimist' - -opts = Optimist::options do - banner '' - banner "Usage: get_anonymous_user_token " - banner '' - opt :get, <<-eos -Get an existing anonymous user token. If no such token exists \ -or if this option is omitted, a new token is created and returned. - eos - opt :token, "token to create (optional)", :type => :string -end - -get_existing = opts[:get] -supplied_token = opts[:token] - -require File.dirname(__FILE__) + '/../config/environment' - -include ApplicationHelper -act_as_system_user - -def create_api_client_auth(supplied_token=nil) - supplied_token = Rails.configuration.Users["AnonymousUserToken"] - - if supplied_token.nil? or supplied_token.empty? - puts "Users.AnonymousUserToken is empty. Destroying tokens that belong to anonymous." - # Token is empty. Destroy any anonymous tokens. - ApiClientAuthorization.where(user: anonymous_user).destroy_all - return nil - end - - attr = {user: anonymous_user, - api_client_id: 0, - scopes: ['GET /']} - - secret = supplied_token - - if supplied_token[0..2] == 'v2/' - _, token_uuid, secret, optional = supplied_token.split('/') - if token_uuid[0..4] != Rails.configuration.ClusterID - # Belongs to a different cluster. - puts supplied_token - return nil - end - attr[:uuid] = token_uuid - end - - attr[:api_token] = secret - - api_client_auth = ApiClientAuthorization.where(attr).first - if !api_client_auth - # The anonymous user token should never expire but we are not allowed to - # set :expires_at to nil, so we set it to 1000 years in the future. - attr[:expires_at] = Time.now + 1000.years - api_client_auth = ApiClientAuthorization.create!(attr) - end - api_client_auth -end - -if get_existing - api_client_auth = ApiClientAuthorization. - where('user_id=?', anonymous_user.id.to_i). - where('expires_at>?', Time.now). - select { |auth| auth.scopes == ['GET /'] }. - first -end - -# either not a get or no api_client_auth was found -if !api_client_auth - api_client_auth = create_api_client_auth(supplied_token) -end - -# print it to the console -if api_client_auth - puts "v2/#{api_client_auth.uuid}/#{api_client_auth.api_token}" -end